EDIT 11-29-2017 08:33:

On twitter today, a tweet came up talking about how you can login to a 10.13 machine, with the account root and no password. You can use this prompt at the Login Window, Screen Saver, System Preferences,a ARD session, and Screen Sharing. It does not affect the Filevault Login Window.

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?

This is confirmed on 10.13.0, 10.13.1, and 10.13.2b5. This does not affect 10.11, or 10.12

The above does not depend on what level of permissions the user has. It works on a standard account or an admin account.

There’s a few paths you can go to mitigate.

First if your users are admins, you could just create a loginless root that redirects it to a false shell. While this is not a whole fix, its a temp patch. This creates a backdoor that can be exploited. /usr/bin/dscl . -create /Users/root UserShell /usr/bin/false

To exploit this as pointed out by Jesse Peterson that a user may still elevate their privileges using a command likeosascript -e 'do shell script "id" user name "root" password "" with administrator privileges

The end all, would be to enable root with a user and password, and change the shell.
To enable Root with a random password.